Secrets cannot be assigned as environment variables

tirelibirefe · December 6, 2022, 4:45am

Hello,
My purpose is to assign secrets as key-value pairs as environment variables.
I checked the the example but it doesn’t work as explained; so I changed a bit.

Here is my config:

  podAnnotations:
    vault.hashicorp.com/ca-cert: "/run/secrets/kubernetes.io/serviceaccount/ca.crt"
    vault.hashicorp.com/agent-inject: 'true'
    vault.hashicorp.com/agent-inject-status: "update"
    vault.hashicorp.com/role: 'myproject-microservices'
    vault.hashicorp.com/agent-inject-secret-keycloak: 'kv/data/myproject/keycloak/access.env'
    vault.hashicorp.com/agent-inject-template-keycloak: |
      {{ with secret "kv/data/myproject/keycloak/access.env" -}}
        export KEYCLOAK_MYPROJECT_ISSUERXXX="{{ index .Data.data "keycloak-myproject-issuer" }}"
      {{- end }}

and…

...
          args:
            ["bash", "-c", ". /vault/secrets/keycloak"]
...

I check the path:

$ POD=myproject-backend-common-dms-6995f5bd54-jtvzf
$ CONTAINER=dms

$ k exec -n myproject $POD -c "$CONTAINER" -- \
>   printenv | grep XXX

$ k exec -n myproject $POD -c "$CONTAINER" -- \
>   cat /vault/secrets/keycloak
export KEYCLOAK_MYPROJECT_ISSUERXXX="https://mysite.com/realms/myproject"

$ k exec -n myproject $POD -c "$CONTAINER" -- \
>   ls -aln /vault/secrets/keycloak
-rw-r--r-- 1 100 1000 82 Dec  6 04:33 /vault/secrets/keycloak

Everything looks fine but there is no environment variables.

I am pulling my hairs here; could you please advise what I am missing?

Thanks & Regards
Tirelibirefe

tirelibirefe · December 6, 2022, 6:28am

I also tried that one but it didn’t work too.

KEYCLOAK_MYPROJECT_ISSUERXXX="{{ index .Data.data "keycloak-myproject-issuer" }}"

and

["bash", "-c", "export /vault/secrets/keycloak"]

tirelibirefe · December 6, 2022, 7:54am

export KEYCLOAK_MYPROJECT_ISSUERXXX="{{ index .Data.data "keycloak-myproject-issuer" }}"

and

["bash", "-c", "/vault/secrets/keycloak"]

no luck

tvoran · December 7, 2022, 1:57am

Hi @tirelibirefe, the environment variables will not show up when you run printenv in the container, because they’re only set for the entrypoint command (probably process 1). So to see what its environment variables are, exec into the container and take a look at /proc/1/environ:

k exec -n myproject $POD -c "$CONTAINER" -- cat /proc/1/environ

The output will be a little squished but that’ll tell you for sure what’s set.

And so that the container stays up to inspect it, you may want to do something like this for cmd and args:

        command:
          ['bash', '-c']
        args:
          ['. /vault/secrets/keycloak' && /bin/sleep 600']

tirelibirefe · December 7, 2022, 8:55pm

Hello @tvoran
Thanks for your reply.
I cannot use…

command:
          ['bash', '-c']

…because it overrides ENTRYPOINT in Dockerfile. My Dockerfile ends with that:

...
[ENTRYPOINT ["dotnet", "WebAPI.dll"]

I tried …

      containers:
        args:
          ['. /vault/secrets/keycloak' && /bin/sleep 600']

…but it didn’t work.

I tried…

      containers:
          args: [bash; -c; . /vault/secrets/keycloak && /bin/sleep 60]

…it didn’t work, too.

tirelibirefe · December 13, 2022, 2:19pm

@tvoran could you please advise?

maxb · December 13, 2022, 9:43pm

The problem here is that you are randomly guessing various permutations of YAML and shell syntax which are incorrect.

Instead you should be more closely following the example you referenced. Taking into account what you have said about the existing entrypoint, I think you are going to need:

command: ['sh', '-c', '. /vault/secrets/keycloak && dotnet WebAPI.dll']

Yes, you will need to redefine the full command, overriding the Dockerfile ENTRYPOINT - that’s an unavoidable feature of this injection technique.

tirelibirefe · December 14, 2022, 10:36pm

You reprimand me but no problem…

Wish to able to say it worked but sorry, it didn’t work what you advised.

maxb · December 15, 2022, 8:33am

Sorry, I meant it not as a reprimand, but an explanation of part of why you’re finding it difficult to get useful answers from this forum.

This is a community help forum where people answering questions are doing so not for any financial reward, but just for the satisfaction of having helped someone.

The point being, the easier you make it for people to help you, the more likely you are to be helped.

You are currently doing two things which make it seem it will be very hard to provide help via a forum:

You’re making up lots of syntaxes, seemingly at random (you’re not saying why you’re trying these syntaxes).
When something doesn’t work, all you’re saying is “it didn’t work” - no details, no error messages, nothing that would provide insight into how and why it didn’t work.

Please remember that we cannot see your screen and we cannot read your mind - you need to tell us what you see on your screen and what you’re thinking, to make it possible to help you.